Analysis

  • max time kernel
    145s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06-09-2022 08:51

General

  • Target

    1ab9115cce93709220c60217c4077c34.exe

  • Size

    657KB

  • MD5

    1ab9115cce93709220c60217c4077c34

  • SHA1

    4444d87625d9001bbbe99d975542b97884cb83a0

  • SHA256

    5f786ef7b4a40accb4b2903acf2bdf1b249c2c4514303bb7ca3c5ac6010ac9d4

  • SHA512

    cd46ae14d3a2c81ea4bd791a51b867293c10ee3771697f6204e816f055d366b4f9a2f9faa5285cf4dd3c5f49066aa6b75805dc61da3a561810a6ef87ac5a12e1

  • SSDEEP

    6144:dg5nk5lJmbKTk6b3HVaMjAsbNWTIRlRDBnN9PFja0HdjfCvA+YJJAUPvQ:dg5nkxmGT3Nx0MJN9PFrHdLCY+YJg

Malware Config

Extracted

Family

colibri

Version

1.2.0

Botnet

Build1

C2

http://zpltcmgodhvvedxtfcygvbgjkvgvcguygytfigj.cc/gate.php

http://yugyuvyugguitgyuigtfyutdtoghghbbgyv.cx/gate.php

Extracted

Family

redline

Botnet

Lyllkal.05.09

C2

185.215.113.216:21921

Attributes
  • auth_value

    2df530f82cb4bd0f6bef5527a1d5de70

Signatures

  • Colibri Loader

    A loader sold as MaaS first seen in August 2021.

  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

  • Detectes Phoenix Miner Payload 2 IoCs
  • Downloads MZ/PE file
  • Executes dropped EXE 10 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Adds Run key to start application 2 TTPs 4 IoCs
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies Internet Explorer settings 1 TTPs 4 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ab9115cce93709220c60217c4077c34.exe
    "C:\Users\Admin\AppData\Local\Temp\1ab9115cce93709220c60217c4077c34.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:444
    • C:\ProgramData\conhost.exe
      "C:\ProgramData\conhost.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:64
      • C:\ProgramData\conhost.exe
        "C:\ProgramData\conhost.exe"
        3⤵
        • Executes dropped EXE
        PID:3936
    • C:\Users\Admin\AppData\Local\Temp\1ab9115cce93709220c60217c4077c34.exe
      "C:\Users\Admin\AppData\Local\Temp\1ab9115cce93709220c60217c4077c34.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:4120
      • C:\Users\Admin\AppData\Local\Temp\1ab9115cce93709220c60217c4077c34.exe
        "C:\Users\Admin\AppData\Local\Temp\1ab9115cce93709220c60217c4077c34.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:1536
        • C:\Users\Admin\AppData\Local\Temp\1ab9115cce93709220c60217c4077c34.exe
          "C:\Users\Admin\AppData\Local\Temp\1ab9115cce93709220c60217c4077c34.exe"
          4⤵
          • Adds Run key to start application
          • Suspicious use of WriteProcessMemory
          PID:2384
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c start C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3656
            • C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
              C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
              6⤵
              • Executes dropped EXE
              • Suspicious use of WriteProcessMemory
              PID:2884
              • C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
                -pool us-eth.2miners.com:2020 -wal 0x298a98736156cdffdfaf4580afc4966904f1e12e -worker ferma -epsw x -mode 1 -log 0 -mport 0 -etha 0 -ftime 55 -retrydelay 1 -coin eth
                7⤵
                • Executes dropped EXE
                • Suspicious use of NtSetInformationThreadHideFromDebugger
                PID:2960
          • C:\Users\Admin\AppData\Local\Temp\73M12MMG2AKJ88F.exe
            "C:\Users\Admin\AppData\Local\Temp\73M12MMG2AKJ88F.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:3944
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C start C:\Windows\Temp\Lyllkal.05.09.exe
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:2312
              • C:\Windows\Temp\Lyllkal.05.09.exe
                C:\Windows\Temp\Lyllkal.05.09.exe
                7⤵
                • Executes dropped EXE
                PID:2336
          • C:\Users\Admin\AppData\Local\Temp\2JIA9I1A3JH66A1.exe
            "C:\Users\Admin\AppData\Local\Temp\2JIA9I1A3JH66A1.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2092
            • C:\Windows\SYSTEM32\cmd.exe
              "cmd.exe" /C start C:\Windows\Temp\xsv.exe
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4688
              • C:\Windows\Temp\xsv.exe
                C:\Windows\Temp\xsv.exe
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                PID:3676
          • C:\Users\Admin\AppData\Local\Temp\CK2CMKF19EELFAF.exe
            "C:\Users\Admin\AppData\Local\Temp\CK2CMKF19EELFAF.exe"
            5⤵
            • Executes dropped EXE
            • Checks computer location settings
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1480
            • C:\Windows\SysWOW64\control.exe
              "C:\Windows\System32\control.exe" "C:\Users\Admin\AppData\Local\Temp\cZFJ.CPl",
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:4648
              • C:\Windows\SysWOW64\rundll32.exe
                "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\cZFJ.CPl",
                7⤵
                • Loads dropped DLL
                • Suspicious use of WriteProcessMemory
                PID:1364
                • C:\Windows\system32\RunDll32.exe
                  C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL "C:\Users\Admin\AppData\Local\Temp\cZFJ.CPl",
                  8⤵
                    PID:4352
                    • C:\Windows\SysWOW64\rundll32.exe
                      "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 "C:\Users\Admin\AppData\Local\Temp\cZFJ.CPl",
                      9⤵
                      • Loads dropped DLL
                      PID:1340
            • C:\Users\Admin\AppData\Local\Temp\8DLL701JA0B8CC1.exe
              https://iplogger.org/1QsEf7
              5⤵
              • Executes dropped EXE
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:4372

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Persistence

    Registry Run Keys / Startup Folder

    1
    T1060

    Defense Evasion

    Modify Registry

    2
    T1112

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Command and Control

    Web Service

    1
    T1102

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\conhost.exe
      Filesize

      75KB

      MD5

      e0a68b98992c1699876f818a22b5b907

      SHA1

      d41e8ad8ba51217eb0340f8f69629ccb474484d0

      SHA256

      2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

      SHA512

      856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

    • C:\ProgramData\conhost.exe
      Filesize

      75KB

      MD5

      e0a68b98992c1699876f818a22b5b907

      SHA1

      d41e8ad8ba51217eb0340f8f69629ccb474484d0

      SHA256

      2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

      SHA512

      856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

    • C:\ProgramData\conhost.exe
      Filesize

      75KB

      MD5

      e0a68b98992c1699876f818a22b5b907

      SHA1

      d41e8ad8ba51217eb0340f8f69629ccb474484d0

      SHA256

      2b00d8c2bcc6b48e90524cdd41a07735dc94548ed41925baff86e43a61a4c37f

      SHA512

      856854f5fd89ae1669e4b2db10b73b4a78496bf80117003244c83e781f75e533e2e2bea9aa6c1b3aba3db1ed92ea0ed9755fbfd78cd6c86ba95867d07fc0ece2

    • C:\Users\Admin\AppData\Local\Temp\2JIA9I1A3JH66A1.exe
      Filesize

      311KB

      MD5

      75afae5b368435089953fa47f772c2b4

      SHA1

      d472f3127565b2801fd0a000fb2e9d6f84d0510c

      SHA256

      576b1d2fbba62763b98edbe8bf8b64366b2bc7445e907dee0e55bf6999c07cf4

      SHA512

      2067b0166781a07fd4fd55e162976aca77920cd3a9e24c452447219a413778ea3cecdb658418a1d0bcbdc26261b29dda67e06ff7e7f4f46b99186578f43d9b5f

    • C:\Users\Admin\AppData\Local\Temp\2JIA9I1A3JH66A1.exe
      Filesize

      311KB

      MD5

      75afae5b368435089953fa47f772c2b4

      SHA1

      d472f3127565b2801fd0a000fb2e9d6f84d0510c

      SHA256

      576b1d2fbba62763b98edbe8bf8b64366b2bc7445e907dee0e55bf6999c07cf4

      SHA512

      2067b0166781a07fd4fd55e162976aca77920cd3a9e24c452447219a413778ea3cecdb658418a1d0bcbdc26261b29dda67e06ff7e7f4f46b99186578f43d9b5f

    • C:\Users\Admin\AppData\Local\Temp\73M12MMG2AKJ88F.exe
      Filesize

      308KB

      MD5

      13f565ffb56f2d0b80776e458e865fdb

      SHA1

      b37c7c38ea4c6637260596f9136f6aeac2f91670

      SHA256

      3e2c329f4831df1bf5fae89660229547bc6188d1a59fc5cac08c19a6516bd3e5

      SHA512

      cf2ab3ba54595a6683727280e5025606642da63c9d9c1f525aae95765c30532ee02501a414cd419bca48f06121247da2bebf2287a3b05a46a441f0ee5dd45ab5

    • C:\Users\Admin\AppData\Local\Temp\73M12MMG2AKJ88F.exe
      Filesize

      308KB

      MD5

      13f565ffb56f2d0b80776e458e865fdb

      SHA1

      b37c7c38ea4c6637260596f9136f6aeac2f91670

      SHA256

      3e2c329f4831df1bf5fae89660229547bc6188d1a59fc5cac08c19a6516bd3e5

      SHA512

      cf2ab3ba54595a6683727280e5025606642da63c9d9c1f525aae95765c30532ee02501a414cd419bca48f06121247da2bebf2287a3b05a46a441f0ee5dd45ab5

    • C:\Users\Admin\AppData\Local\Temp\8DLL701JA0B8CC1.exe
      Filesize

      8KB

      MD5

      8719ce641e7c777ac1b0eaec7b5fa7c7

      SHA1

      c04de52cb511480cc7d00d67f1d9e17b02d6406b

      SHA256

      6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

      SHA512

      7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

    • C:\Users\Admin\AppData\Local\Temp\8DLL701JA0B8CC1.exe
      Filesize

      8KB

      MD5

      8719ce641e7c777ac1b0eaec7b5fa7c7

      SHA1

      c04de52cb511480cc7d00d67f1d9e17b02d6406b

      SHA256

      6283ac6ecbf4c4038cf44896dd221c7c11152bac77273709330409032c3e72ea

      SHA512

      7be5bd6d2342dd02818f1979e7e74a6376658711ac82a59b2af1a67207cfd3c7416b657af01216473b15132e4aa5c6675f0eb8ee6343192c7dfc4a5249ccaa97

    • C:\Users\Admin\AppData\Local\Temp\CK2CMKF19EELFAF.exe
      Filesize

      1.3MB

      MD5

      8acd2820c60d441823e262793d837009

      SHA1

      d49d8b1e65d73c8b6e6ef1b656647e12e1bffaf4

      SHA256

      fec6e493624dba28b4304000daa2c4094d33b0c32d9b167b6f009948b9b697a4

      SHA512

      c77c78843fa9d3f1f97d1dee0d7fe4671e2dd16f355ecfaeec7af9787e5587b5587e01f97542b30ecc7a9cd203b1382d62cf202dbf251dd75f307c90ecda21eb

    • C:\Users\Admin\AppData\Local\Temp\CK2CMKF19EELFAF.exe
      Filesize

      1.3MB

      MD5

      8acd2820c60d441823e262793d837009

      SHA1

      d49d8b1e65d73c8b6e6ef1b656647e12e1bffaf4

      SHA256

      fec6e493624dba28b4304000daa2c4094d33b0c32d9b167b6f009948b9b697a4

      SHA512

      c77c78843fa9d3f1f97d1dee0d7fe4671e2dd16f355ecfaeec7af9787e5587b5587e01f97542b30ecc7a9cd203b1382d62cf202dbf251dd75f307c90ecda21eb

    • C:\Users\Admin\AppData\Local\Temp\cZFJ.CPl
      Filesize

      1.3MB

      MD5

      56e69d682f65b464ceeb03ac5e35b06d

      SHA1

      6abf9cfc72130208b205b0d7212071999f064de6

      SHA256

      977e8f2daad95e0b1ff798b89ed21469ba422af84f23eb67ba8ecb2885f97f9f

      SHA512

      ef2ee92f44bf8094fbb56d832fdbc88bf365af5a743f5d5915b87f35efff60c01707cd7cb4a403280dd365d034fad73ab7e68a6f344c120273d4ece4d8b39d1e

    • C:\Users\Admin\AppData\Local\Temp\cZFj.cpl
      Filesize

      1.3MB

      MD5

      56e69d682f65b464ceeb03ac5e35b06d

      SHA1

      6abf9cfc72130208b205b0d7212071999f064de6

      SHA256

      977e8f2daad95e0b1ff798b89ed21469ba422af84f23eb67ba8ecb2885f97f9f

      SHA512

      ef2ee92f44bf8094fbb56d832fdbc88bf365af5a743f5d5915b87f35efff60c01707cd7cb4a403280dd365d034fad73ab7e68a6f344c120273d4ece4d8b39d1e

    • C:\Users\Admin\AppData\Local\Temp\cZFj.cpl
      Filesize

      1.3MB

      MD5

      56e69d682f65b464ceeb03ac5e35b06d

      SHA1

      6abf9cfc72130208b205b0d7212071999f064de6

      SHA256

      977e8f2daad95e0b1ff798b89ed21469ba422af84f23eb67ba8ecb2885f97f9f

      SHA512

      ef2ee92f44bf8094fbb56d832fdbc88bf365af5a743f5d5915b87f35efff60c01707cd7cb4a403280dd365d034fad73ab7e68a6f344c120273d4ece4d8b39d1e

    • C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
      Filesize

      16KB

      MD5

      e8ac4929d4ef413e3c45abe2531cae95

      SHA1

      9ccd6320f053402699c802425e395010ef915740

      SHA256

      7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

      SHA512

      be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

    • C:\Users\Admin\AppData\Roaming\MSEdge\msedge.exe
      Filesize

      16KB

      MD5

      e8ac4929d4ef413e3c45abe2531cae95

      SHA1

      9ccd6320f053402699c802425e395010ef915740

      SHA256

      7245d7d5573bfbd93e7939ad685b071d7755ebb62d8411f1984ce9dcc195f588

      SHA512

      be3e14f1441839001f41f7c62ce3a5b7fb26927a0d8cd532eab7d000382e143b4f5b5468a60f6223dfecae3d4ad556a7f72b7e5d318783fc1d1858241bfb93e7

    • C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
      Filesize

      8.1MB

      MD5

      51ff42d909a879d42eb5f0e643aab806

      SHA1

      affce62499d0f923f115228643a87ba5daece4e5

      SHA256

      c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

      SHA512

      bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

    • C:\Users\Admin\AppData\Roaming\MSEdge\svchost.exe
      Filesize

      8.1MB

      MD5

      51ff42d909a879d42eb5f0e643aab806

      SHA1

      affce62499d0f923f115228643a87ba5daece4e5

      SHA256

      c0e187a0974b337fe6990e9a929c472dcf491282b8171322291a0ed6c1c653c3

      SHA512

      bc948edfb59e58cc7f9a4c8e9052989e8d655323f79b29ac1a0ae5152bffd0847f8838091a51a33ffd0d1414b5afeed34870587931801f47da1ecff8915f9baf

    • C:\Windows\Temp\Lyllkal.05.09.exe
      Filesize

      90KB

      MD5

      253cb4313577e31fa2ecc94d708f8398

      SHA1

      bee6638ed20ce2df51b47b5fc6f47fd4c68d0039

      SHA256

      5c65958b50e21bbf2bde53c496323851fd43667288d99b57165343553de77b02

      SHA512

      ae47cef85324a8cf2af0d4cc4b65dbcce0d0eed793eb839ce1dfdf608f41e1c9d7543c8ddb62bccfc420afa1368c8c98b289eaec611b8da9ba6c07452559c315

    • C:\Windows\Temp\Lyllkal.05.09.exe
      Filesize

      90KB

      MD5

      253cb4313577e31fa2ecc94d708f8398

      SHA1

      bee6638ed20ce2df51b47b5fc6f47fd4c68d0039

      SHA256

      5c65958b50e21bbf2bde53c496323851fd43667288d99b57165343553de77b02

      SHA512

      ae47cef85324a8cf2af0d4cc4b65dbcce0d0eed793eb839ce1dfdf608f41e1c9d7543c8ddb62bccfc420afa1368c8c98b289eaec611b8da9ba6c07452559c315

    • C:\Windows\Temp\xsv.exe
      Filesize

      91KB

      MD5

      f590338220ffbb5c8a39be984d7bde91

      SHA1

      1c64d067e2c4e935763bc039b1112bb81b35caa8

      SHA256

      c25e688a05e1ca37ff52fea542e2ab003759cf1618c9f8d7c98ec289aa850d7c

      SHA512

      98c0e6b443cd58992fa1179c5580479c97c10b2314c1020c4b2717453fb96114687d4080d556de985a93dc3247e3f7b600d05496f59cb397f6d606b56f8b70a4

    • C:\Windows\Temp\xsv.exe
      Filesize

      91KB

      MD5

      f590338220ffbb5c8a39be984d7bde91

      SHA1

      1c64d067e2c4e935763bc039b1112bb81b35caa8

      SHA256

      c25e688a05e1ca37ff52fea542e2ab003759cf1618c9f8d7c98ec289aa850d7c

      SHA512

      98c0e6b443cd58992fa1179c5580479c97c10b2314c1020c4b2717453fb96114687d4080d556de985a93dc3247e3f7b600d05496f59cb397f6d606b56f8b70a4

    • memory/64-132-0x0000000000000000-mapping.dmp
    • memory/444-133-0x0000000000CE5000-0x0000000000CF8000-memory.dmp
      Filesize

      76KB

    • memory/1340-225-0x0000000002DB0000-0x0000000002E5D000-memory.dmp
      Filesize

      692KB

    • memory/1340-219-0x0000000000D70000-0x0000000000D76000-memory.dmp
      Filesize

      24KB

    • memory/1340-216-0x0000000000000000-mapping.dmp
    • memory/1340-223-0x0000000002CE0000-0x0000000002DA3000-memory.dmp
      Filesize

      780KB

    • memory/1364-209-0x0000000002E40000-0x0000000002F03000-memory.dmp
      Filesize

      780KB

    • memory/1364-200-0x0000000000000000-mapping.dmp
    • memory/1364-204-0x0000000000400000-0x0000000000547000-memory.dmp
      Filesize

      1.3MB

    • memory/1364-210-0x0000000002C00000-0x0000000002C06000-memory.dmp
      Filesize

      24KB

    • memory/1364-212-0x0000000002F20000-0x0000000002FCD000-memory.dmp
      Filesize

      692KB

    • memory/1364-213-0x0000000002F20000-0x0000000002FCD000-memory.dmp
      Filesize

      692KB

    • memory/1480-186-0x0000000000000000-mapping.dmp
    • memory/1536-143-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/1536-151-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/1536-145-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/1536-144-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/1536-142-0x0000000000400000-0x000000000043A000-memory.dmp
      Filesize

      232KB

    • memory/1536-141-0x0000000000000000-mapping.dmp
    • memory/2092-174-0x000001781E320000-0x000001781E374000-memory.dmp
      Filesize

      336KB

    • memory/2092-177-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp
      Filesize

      10.8MB

    • memory/2092-171-0x0000000000000000-mapping.dmp
    • memory/2092-182-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp
      Filesize

      10.8MB

    • memory/2312-175-0x0000000000000000-mapping.dmp
    • memory/2336-196-0x0000000004BA0000-0x0000000004CAA000-memory.dmp
      Filesize

      1.0MB

    • memory/2336-194-0x0000000004FD0000-0x00000000055E8000-memory.dmp
      Filesize

      6.1MB

    • memory/2336-183-0x0000000000100000-0x000000000011C000-memory.dmp
      Filesize

      112KB

    • memory/2336-198-0x0000000004AD0000-0x0000000004B0C000-memory.dmp
      Filesize

      240KB

    • memory/2336-195-0x0000000004A70000-0x0000000004A82000-memory.dmp
      Filesize

      72KB

    • memory/2336-178-0x0000000000000000-mapping.dmp
    • memory/2384-148-0x0000000000000000-mapping.dmp
    • memory/2384-149-0x0000000000FB0000-0x0000000000FE6000-memory.dmp
      Filesize

      216KB

    • memory/2384-154-0x0000000000FB0000-0x0000000000FE6000-memory.dmp
      Filesize

      216KB

    • memory/2384-158-0x0000000000FB0000-0x0000000000FE6000-memory.dmp
      Filesize

      216KB

    • memory/2884-160-0x0000000000000000-mapping.dmp
    • memory/2960-163-0x0000000000000000-mapping.dmp
    • memory/3656-159-0x0000000000000000-mapping.dmp
    • memory/3676-184-0x0000000000000000-mapping.dmp
    • memory/3936-138-0x0000000000400000-0x0000000000407000-memory.dmp
      Filesize

      28KB

    • memory/3936-157-0x0000000000400000-0x0000000000407000-memory.dmp
      Filesize

      28KB

    • memory/3936-136-0x0000000000000000-mapping.dmp
    • memory/3944-166-0x0000000000000000-mapping.dmp
    • memory/3944-169-0x0000029737D20000-0x0000029737D74000-memory.dmp
      Filesize

      336KB

    • memory/3944-176-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp
      Filesize

      10.8MB

    • memory/3944-170-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp
      Filesize

      10.8MB

    • memory/4120-140-0x00000000008C9000-0x00000000008DC000-memory.dmp
      Filesize

      76KB

    • memory/4120-137-0x0000000000000000-mapping.dmp
    • memory/4352-215-0x0000000000000000-mapping.dmp
    • memory/4372-211-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp
      Filesize

      10.8MB

    • memory/4372-197-0x00007FFF3BA70000-0x00007FFF3C531000-memory.dmp
      Filesize

      10.8MB

    • memory/4372-192-0x000001B6A7070000-0x000001B6A7076000-memory.dmp
      Filesize

      24KB

    • memory/4372-208-0x000001BEC56B0000-0x000001BEC5E56000-memory.dmp
      Filesize

      7.6MB

    • memory/4372-189-0x0000000000000000-mapping.dmp
    • memory/4648-199-0x0000000000000000-mapping.dmp
    • memory/4688-181-0x0000000000000000-mapping.dmp